Author Topic: Howto: Easy route-based VPN configuration  (Read 70497 times)

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 530
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Howto: Easy route-based VPN configuration
« on: February 07, 2006, 05:24:01 pm »
I work for a Juniper reseller and spend a lot of time going to client sites to configure VPN's, and it's pretty amazing how many people haven't figured out how to set up a VPN with a Netscreen using a preshared key.  So, here's a walkthrough (using the web interface) of a route-based VPN solution between two Netscreens:

Scenario:
Firewall A -> Internet -> Firewall B
1. Log into Firewall A through the web interface
2. Configure your tunnel interface
 a. Click Network -> Interfaces
 b. Make sure the dropdown in the top left says Tunnel IF, and click New
 c. I put mine in the Untrust zone because I want all of my VPN traffic to run throug my Untrust->Trust policy
 d. Click unnumbered and select the untrust interface
 e. click OK
3. Configure your VPN Gateway
 a. Click VPNs -> AutoKey Advanced -> Gateway
 b. click New
 c. Name the gateway "FirewallB-gw"
 d. I always select the custom security level, you'll see why in a following step
 e. Enter the public IP address of Firewall B
 f. Carefully enter your preshared key
 g. select untrust for your outgoing interface
 h. click advanced
 i. select User defined (custom)
 j. in the first dropdown select pre-g2-aes128-sha
 k. click return at the bottom
 l. click OK at the bottom
4. Create the VPN
 a. on the menu on the left select VPNs -> Autokey Advanced
 b. click New
 c. name it FirewallB-vpn
 d. select Custom
 e. leave predefined checked and select your FirewallB-GW in the dropdown
 f. click Advanced
 g. select custom
 h. in the first dropdown, select g2-esp-aes128-sha
 i. turn on replay protection
 j. Bind to tunnel interface, and select your tunnel interface you created in step 2
 k. turn on VPN monitor (this will bring up the VPN right away and keep it up even when there's no traffic on it)
 l. click Return
 m. click OK
5. You need to add routes to the remote network.  You can configure the tunnel interfaces to run OSPF, or you can add a static.  I will tell you how to add a static.
 a. on the menu click Network -> Routing -> Destination
 b. click new
 c. type in the network address behind Firewall B
 d. Select Gateway
 e. Select your tunnel interface in the dropdown
 f. click ok
6. Add your policy to allow access to/from the remote network.  If you are not in NAT mode on your trust interface, make sure you check position at top when creating a Trust->Untrust rule, or it will NAT the traffic to your untrust IP or DIP pool and then send it across the tunnel, which you probably don't want.  Create an Untrust->Trust policy which allows access from the Network behind FirewallB to hosts or the network behind FirewallB.  You probably want to allow Ping at a minimum.
7. Repeat steps 1-6 on Firewall B.  Substituting Firewall A's data.

The VPN should pop up and everything should work.  You can also use the little wizard thing, but I haven't tried it.  If you use it, I don't think it picks the most secure cipher for P1 and P2, this is why we set this up manually.  If one or both of your Netscreens is behind something that does NAT, you will also have to turn on NAT traversal on both ends.

If you don't want static routes and want to use OSPF instead, you can create an OSPF instance under the trust VR.  Make sure you add the tunnel interfaces and your internal interfaces to it, and tell it to advertise your private networks.  You will then have to go under each interface that you added, and turn on OSPF.  On tunnel interfaces, you can enable demand circuit and add it to the area, apply the changes, and then Enable OSPF on it.

thextreme

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #1 on: March 30, 2006, 02:36:40 pm »
Fantastic post !!! really usefull !! :-D

y2k

  • Jr. Member
  • **
  • Posts: 55
  • Karma: +1/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #2 on: April 04, 2006, 11:56:01 am »
definitely ... thanks for that

Alvi

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #3 on: April 10, 2006, 12:45:52 pm »
Great! just what I was looking for! One small question on "step 2"

should "zone VR" and "interface" be untrust?

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 530
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Re: Howto: Easy route-based VPN configuration
« Reply #4 on: April 10, 2006, 10:11:19 pm »
You mean should the VR be untrust?  It depends on which VR you've put your untrust zone.

Maybe I don't understand what you're asking.  It's late and I'm tired.  :)

Alvi

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #5 on: April 12, 2006, 10:09:40 am »
On step 2 I'm a little confused. They are two different fields taht I am not sure whta to choose - hope this makes more sense

Zone (VR) - should this show "Untrust (trust-vr)"?

Unnumbered - should this show "interface trust (trsut-vr)?

ggcc

  • Newbie
  • *
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #6 on: April 13, 2006, 03:21:16 pm »
Hello Signal15,

Request for route-based VPN configuration with OSPF  (I tried to create OSPF instant under trust-vr but I can find the tunnel.1 interface under Available interface to add (only ethernet 3)).

Thank you.

Tormey

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #7 on: April 19, 2006, 10:33:53 am »
Great post. Thank you. I was only able to make it work when I entered local and remote "Proxy IDs" in the autokey IKE. Your check list didn't include this step. Wondering what your thoughts are on that.

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #8 on: April 25, 2006, 10:19:54 am »
hi signal is there that we can configure vpns dynamically betwen 2 netscreen firewalls. i mean that the branch firewall say a netscreen 5-gt which will get policies dynamically from a central vpn headend firewall say a netscreen -500 and dynamically build the vpn without much user intervention. so in cisco pix and router we have this function called as easy vpn. does netscreen support that.

regards

sebastan

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 530
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Re: Howto: Easy route-based VPN configuration
« Reply #9 on: May 01, 2006, 10:50:08 pm »
You can set up a dynamic VPN on the headend, and have an arbitrary number of client boxes (5GT's or whatever).  This way, you would not have to have a configuration on the headend for every client.

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #10 on: May 06, 2006, 05:31:36 am »
hi signal thanks for ur info. is this similar to cisco easy vpn.

regards

sebastan

junipoint

  • Full Member
  • ***
  • Posts: 148
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #11 on: May 07, 2006, 10:18:05 pm »
I'm not aware of any Easy-VPN like functionality with Netscreen. Pick your poison, use all route-based configuration or a combination of route and policy based. If you use policy-based on your remote devices you can get by with 5 lines of configuration, but on your head-end device you'll need to use route-based and create a tunnel interface for each remote peer. If you don't have that many remote peers this can be manageable.


Sambamurthy

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #12 on: May 12, 2006, 02:33:21 am »
Hi Signal,

I am trying to create VPN between netscreen-10 and netscreen-25. The methods you said is available in netscreen-25 but I am not able to do it with netscreen-10. Can you please help me out in this.

Thanks and Regards,
Sambamurthy

xiaomingpu

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #13 on: March 29, 2007, 12:15:22 am »
good

roryred

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #14 on: August 17, 2007, 07:35:20 am »
...I was only able to make it work when I entered local and remote "Proxy IDs" in the autokey IKE.
Same here on our NS-50s and now I have a new problem. Both LANS on the far ends of the tunnel use private IP addressing (the same addresses). Where do I put the mip so that they can use the public address instead? On the tunnel? And what other changes are required?

greg1c

  • Full Member
  • ***
  • Posts: 190
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #15 on: September 21, 2007, 04:54:20 am »
a couple of minor things I found doing this.

turn on replay protection - Do not do this if you have an HA firewall setup

Replay Protection: Enabling this feature requires that each IKE negotiation have a sequence number. If you plan to use high availability (HA), do not enable this option. The HA function cannot maintain a VPN tunnel with this option. If the master unit fails, the tunnel is not maintained and IKE negotiations must begin again.


VPN monitor will keep the SA up if you enable REKEY

Rekey: Select this check box if you want to keep an security association (SA) active even if there is no other VPN traffic except the ICMP echo requests (pings) sent by the VPN monitoring module. When the key lifetime for a Phase 1 or Phase 2 security association (SA) is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.


Other than that it worked like a charm between an SSG-140 and a NS-25, I never realized it was so simple.


Greg



ggcc

  • Newbie
  • *
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #16 on: October 09, 2007, 06:11:03 pm »
a couple of minor things I found doing this.

turn on replay protection - Do not do this if you have an HA firewall setup

Replay Protection: Enabling this feature requires that each IKE negotiation have a sequence number. If you plan to use high availability (HA), do not enable this option. The HA function cannot maintain a VPN tunnel with this option. If the master unit fails, the tunnel is not maintained and IKE negotiations must begin again.


VPN monitor will keep the SA up if you enable REKEY

Rekey: Select this check box if you want to keep an security association (SA) active even if there is no other VPN traffic except the ICMP echo requests (pings) sent by the VPN monitoring module. When the key lifetime for a Phase 1 or Phase 2 security association (SA) is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.


Other than that it worked like a charm between an SSG-140 and a NS-25, I never realized it was so simple.


Greg




Do you know why I can not select Radio button for Heartbeat or DPD (Select one of radio button get out to save, then get back in it's gone).  I used to select Heartbeat with earlier version (I don't remember which version but I think there is no DPD).

Netscreen 50:

Device Information
  Hardware Version: 4010(0)
  Firmware Version:
 5.4.0r4.0 (Firewall+VPN)
 
Peer Status Detection
 Heartbeat Hello   Seconds (1~3600, 0: disable)
Reconnect   Seconds (60~9999 Sec)
Threshold   
 DPD Interval   Seconds (3~28800, 0: disable)
Retry   (1~128)
Always Send   


juned

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #17 on: October 10, 2007, 12:29:45 am »
how to configure route based dial-up vpn

CBSystems

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Howto: Easy route-based VPN configuration
« Reply #18 on: November 16, 2007, 03:11:45 pm »
I've managed to get closer to having my VPN set up following your instructions than I have been able to with the manual and my poor memory!
Now my only problem is that while I have an established and active VPN, I can't get traffic to route down it. When setting a policy, if I select Tunnel to SiteB VPN, I get "Peer Gateway for SiteB have VPN with tunnel interface binding vpn valid or not exist"
This leaves me confused. I know I'm on the right path with that, but I can't seem to get the traffic down the tunnel.

Any ideas?
Thanks,
P

stuartbrainerd

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
    • http://www.vpnshop.com
Re: Howto: Easy route-based VPN configuration
« Reply #19 on: November 18, 2007, 09:59:13 am »
Are you using a route-based VPN or a policy-based VPN?  With a route-based VPN you would use "permit" for the action in the policy, not tunnel.  Combined with the route table entry, this will allow traffic to flow across the tunnel, which should be bound to the appropriate tunnel interface.  It is a good practice to bind the tunnel interface to a separate zone than your "Trust" zone; either the Untrust zone or a separate VPN zone works best.
Stuart Brainerd
Synapse Networks